ngSanitize does not allow allow id attribute

Question

I am using ngBindHtml to display some HTML from an (internal) CMS:

<span ng-bind-html="cmsHtml"></span>

The HTML contains a link with an id attribute:

"<a id='fsgPdfLink' href='http://blah/download.pdf' target='_blank'>Click here to download the PDF</a>"

However, I notice that the id attribute is removed by angular before writing the link to the page, so what gets rendered is just:

<a href='http://blah/download.pdf' target='_blank'>Click here to download the PDF</a>

Looking at the source for the ngSanitize module, it seems that for some reason the id attribute is not on the list of valid attributes:

https://github.com/angular/angular.js/blob/master/src/ngSanitize/sanitize.js#L206

1. What's the reason for not allowing the id attribute? Is it a security risk?
2. I'd really like to continue to use ngBindHtml if possible. Is there an API where I can add safe tags to the sanitizer's list? Or do I have to edit the source myself to add this tag?

Answer 1

To partially answer my own question, there doesn't seem to be an API to change the built-in whitelist, as described in this open issue:

https://github.com/angular/angular.js/issues/5900